Spyware Firm Should Address Alleged Misuse
(New York) – The Ethiopian government has renewed efforts to silence independent voices abroad by using apparent foreign spyware, Human Rights Watch said today. The Ethiopian authorities should immediately cease digital attacks on journalists, while foreign surveillance technology sellers should investigate alleged abuses linked to their products.
Independent researchers at the Toronto-based research center Citizen Lab on March 9, 2015, reported new attempts by Ethiopia to hack into computers and accounts of Ethiopian Satellite Television (ESAT) employees based in the United States. The attacks bear similarities to earlier attempts to target Ethiopian journalists outside Ethiopia dating back to December 2013. ESAT is an independent, diaspora-run television and radio station.
“Ethiopia’s government has over the past year intensified its assault on media freedom by systematically trying to silence journalists,” said Cynthia Wong, senior Internet researcher at Human Rights Watch. “These digital attacks threaten journalists’ ability to protect the safety of their sources and to avoid retaliation.”
The government has repressed independent media in Ethiopia ahead of the general elections scheduled for May, Human Rights Watch said. Many privately owned print publications heavily self-censor coverage of politically sensitive issues or have shut down. In the last year, at least 22 journalists, bloggers, and publishers have been criminally charged, at least six publications have closed amid a campaign of harassment, and many journalists have fled the country.
Many Ethiopians turn to ESAT and other foreign stations to obtain news and analysis that is independent of the ruling Ethiopian People’s Revolutionary Democratic Front. However, intrusive surveillance of these news organizations undermines their ability to protect sources and further restricts the media environment ahead of the elections. Government authorities have repeatedly intimidated, harassed, and arbitrarily detained sources providing information to ESAT and other foreign stations.
Citizen Lab’s analysis suggests the attacks were carried out with spyware called Remote Control System (RCS) sold by the Italian firm Hacking Team, which sells surveillance and hacking technology. This spyware was allegedly used in previous attempts to infect computers of ESAT employees in December 2013. If successfully installed on a target’s computer, the spyware would allow a government controlling the software access to activity on a computer or phone, including email, files, passwords typed into the device, contact lists, and audio and video from the device’s microphone and camera.
Citizen Lab also found that the spyware used in the attacks against ESAT appeared to have been updated as recently as December 2014. On November 19, a security researcher, Claudio Guarnieri, along with several nongovernmental organizations, publicly released a tool called Detekt, which can be used to scan computers for Hacking Team RCS and other spyware. Citizen Lab’s testing determined that Detekt was able to successfully recognize the version of RCS used in a November attack, but not the version used in a December attack. Citizen Lab concluded that this may indicate that the software had been updated sometime between the two attempts.
These new findings, if accurate, raise serious concerns that Hacking Team has not addressed evidence of abuse of its product by the Ethiopian government and may be continuing to facilitate that abuse through updates or other support, Human Rights Watch said.
Hacking Team states that it sells exclusively to governments, particularly law enforcement and intelligence agencies. The firm told Human Rights Watch in 2014 that “we expect our clients to behave responsibly and within the law as it applies to them” and that the firm will suspend support for its technology if it believes the customer has used it “to facilitate gross human rights abuses” or “who refuse to agree to or comply with provisions in [the company’s] contracts that describe intended use of HT [Hacking Team] software.” Hacking Team has also stated that it has suspended support for their product in the past, in which case the “product soon becomes useless.”
Media reports and research by independent human rights organizations in the past year have documented serious human rights violations by the Ethiopian government that at times have been facilitated by misuse of surveillance powers. Although spyware companies market their products as “lawful intercept” solutions used to fight serious crime or counterterrorism, the Ethiopian government has abused its counterterrorism laws to prosecute bloggers and journalists who merely report on public affairs or politically sensitive issues. Ethiopian laws that authorize surveillance do not adequately protect the right to privacy, due process, and other basic rights, and are inconsistent with international human rights requirements.
Hacking Team previously told Human Rights Watch that “to maintain their confidentiality” the firm does not “confirm or deny the existence of any individual customer or their country location.” On February 25, 2015, Human Rights Watch wrote to the firm to ask whether it has investigated possible abuse of its products by the Ethiopian government to target independent media and hack into ESAT computers. In response, on March 6 a representative of the firm emailed Human Rights Watch that the company “take[s] precautions with every client to assure that they do not abuse our systems, and, we investigate when allegations of misuse arise” and that the firm is “attempting to understand the circumstances in this case.” The company also stated that “it can be quite difficult to get to actual facts particularly since we do not operate surveillance systems in the field for our clients.” Hacking Team raised unspecified questions about the evidence presented to identify the spyware used in these attacks.
Human Rights Watch also asked the company whether contractual provisions to which governmental customers agree address governments’ obligations under international human rights law to protect the right to privacy, freedom of expression, and other human rights. In a separate March 7 response from the firm’s representative, Hacking Team told Human Rights Watch that the use of its technology is “governed by the laws of the countries of our clients,” and sales of its technology are regulated by the Italian Economics Ministry under the Wassenaar Arrangement, a multilateral export controls regime for dual-use technologies. The company stated that it relies “on the International community to enforce its standards for human rights protection.”
The firm has not reported on what, if any, investigation was undertaken in response to the March 2014 Human Rights Watch report discussing how spyware that appeared to be Hacking Team’s RCS was used to target ESAT employees in 2013. In its March 7 response, the company told Human Rights Watch that it will “take appropriate action depending on what we can determine,” but they “do not report the results of our investigation to the press or other groups, because we consider this to be an internal business matter.”
Without more disclosure of how Hacking Team has addressed potential abuses linked to its business, the strength of its human rights policy will be in question, Human Rights Watch said.
Sellers of surveillance systems have a responsibility to respect human rights, which includes preventing, mitigating, and addressing abuses linked to its business operations, regardless of whether government customers adequately protect rights.
“Hacking Team should publicly disclose what steps it has taken to avoid abuses of its product such as those alleged against the Ethiopian government,” Wong said. “The company protects the confidentiality of its customers, yet the Ethiopian government appears to use its spyware to compromise the privacy and security of journalists and their sources.”